vSphere Virtual Machine Encryption Components

An external KMS, the vCenter Server system, and your ESXi hosts are contributing to the vSphere Virtual Machine Encryption solution.

Figure 1. vSphere Virtual Encryption Architecture

Key Management Server

vCenter Server requests keys from an external KMS. The KMS generates and stores the keys, and passes them to vCenter Server for distribution.

You can use the vSphere Web Client or the vSphere API to add a cluster of KMS instances to the vCenter Server system. If you use multiple KMS instances in a cluster, all instances must be from the same vendor and must replicate keys.

If your environment uses different KMS vendors in different environments, you can add a KMS cluster for each KMS and specify a default KMS cluster. The first cluster that you add becomes the default cluster. You can explicitly specify the default later.

As a KMIP client, vCenter Server uses the Key Management Interoperability Protocol (KMIP) to make it easy to use the KMS of your choice.

vCenter Server

Only vCenter Server has the credentials for logging in to the KMS. Your ESXi hosts do not have those credentials. vCenter Server obtains keys from the KMS and pushes them to the ESXi hosts. vCenter Server does not store the KMS keys, but keeps a list of key IDs.

vCenter Server checks the privileges of users who perform cryptographic operations. You can use the vSphere Web Client to assign cryptographic operation privileges or to assign the No cryptography administrator custom role to groups of users. See Prerequisites and Required Privileges for Encryption Tasks.

vCenter Server adds cryptography events to the list of events that you can view and export from the vSphere Web Client Event Console. Each event includes the user, time, key ID, and cryptographic operation.

The keys that come from the KMS are used as key encryption keys (KEKs).

ESXi Hosts

ESXi hosts are responsible for several aspects of the encryption workflow.